Advertisement

Described as one of the "worst Android vulnerabilities discovered to date", and discovered by Zimperium zLabs vice president of platform research and exploitation Joshua J. Drake, the Stagefright code would theoretically be able to attack a device and delete the message before a user could even see it. "If 'Heartbleed' from the PC era sends chill down your spine," the researchers said, referring to a devastating PC bug, "this is much worse".

The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.Google

Read next

The first Android Q beta hints at Google's bold gaming plan

ByAndrew Williams

The full details of the bug will be released at the Black Hat conference next week in Las Vegas, but researchers said it relies on the ability for a virus to be embedded within a video file. When sent directly to your device via MMS, the virus can then access other parts of your phone -- including photos, Bluetooth radios and more. So far Zimperium don't think anyone is exploiting the flaw -- at least, not yet. But it remains a serious problem. "These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep," said Zimperium. "Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual -- with a trojaned phone."

Advertisement

The bug was reported by Joshua Drake, from Zimperium zLabs, in April in order to give Google enough time to fix the problem and send patches out to its partners. Drake says that Google has done so -- but that most manufacturers have not reissued them to users, working to the traditionally slow pace of Android phone partners.

Some phones have already been patched -- Blackphone tweeted that it had fixed the bug "weeks ago" because researchers help back from going public for three months. Android phones below version 2.2 are not affected.

The researchers called on all manufacturers to release updates immediately.

Advertisement

"We hope that members of the Android ecosystem will recognise the severity of these issues and take immediate action. In addition to fixing these individual issues, we hope they will also fix any business processes that prevent or slow the uptake of such fixes," the team said.

Google told Android Central that patches were already in place for any device -- it just depends on manufacturers issuing them in the wild. "We thank Joshua Drake for his contributions," Google said in a statement to Android Central. "The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device." "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."